Edward Snowden sparks fear in corporate America

Edward Snowden isn’t just a nightmare for the National Security Agency.

He also epitomizes a little-mentioned but intense ongoing fear of corporate America — that any lone renegade among millions of trustworthy employees could abuse access to private customer data for idealistic or villainous purposes.

Text Size

-

+

reset

Politicians sound off on Snowden

“At our company, nobody has any idea exactly who has what access,” an information technology specialist for a major bank told POLITICO. “There are safeguards, but by the time anyone knows what someone’s done, the violator could be off to Hong Kong with Brad Pitt’s credit card statements and sell them to TMZ. It’s easier to imagine it than it is to fully prevent it.”

There’s the fired hospital staffers who dipped into medical records of the “Octomom” and Farrah Fawcett; the State Department employees who browsed the passport files of then-presidential candidates John McCain, Hillary Clinton and Barack Obama; and the Canadian bank clerk who checked out the account of her husband’s ex-wife.

All had access to sensitive information on their jobs as a matter of routine — and they breached that trust.

Hong Kong is the locale of self-exile chosen by Snowden, who stepped forward as the person who leaked to the media a trove of documents detailing NSA’s classified high-tech surveillance programs. Snowden said he did it to expose government overreach and to prompt a national discussion about privacy.

Whatever the motives, the fact that as many as a half-million people have Snowden’s government access level has raised eyebrows this week. Similarly, countless employees – from systems administrators to $12-an-hour customer services reps – have some way to view customer files in the financial, health care and communications sectors.

“We haven’t heard of the Edward Snowden of health IT, at least as of yet,” said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology in Washington D.C. “Is the capacity there for that to happen? Oh, sure. With any employee who manages data within any organization, there’s a possibility they could go rogue.”

McGraw added: “Employee snooping is a huge problem. We end up finding out about it when it’s a VIP who is the victim. But in a lot of small towns, the hospital is the largest employer and looking up your neighbor is pretty common.”

Officials with major companies from Merck to American Express said they have sophisticated tracking systems in place and grant employees access only to the narrow slices of information they need to do their jobs. Those companies declined to detail their security operations, but John Oxford of the Mississippi-based bank Renasant Corporation said his firm uses a combination of email surveillance, layers of passcode requirements for access and rigorous employee training.

While Oxford said it’s generally successful “because people like to keep their jobs,” the Snowden case reminded him that even in the most robust security apparatuses, there are vulnerabilities.

“Obviously if someone in a position of national trust with a top level of clearance can cause this much damage, you can imagine how that can trickle down to business and industry,” said Oxford, whose company has 85 bank branches and handles $4.2 billion in assets. “We try to limit access to information to only to what an employee needs and we have safeguards, but there’s human ability that electronics can’t measure.”

The potential breaches are easy to imagine. A pharmacist can look up a movie star’s medication. A bank teller can see if a politician has been depositing unusual sums of cash. The phone company’s IT guy can check his cheating girlfriend’s call logs.